CN110113435A - A kind of method and apparatus of flow cleaning - Google Patents
A kind of method and apparatus of flow cleaning Download PDFInfo
- Publication number
- CN110113435A CN110113435A CN201910444437.7A CN201910444437A CN110113435A CN 110113435 A CN110113435 A CN 110113435A CN 201910444437 A CN201910444437 A CN 201910444437A CN 110113435 A CN110113435 A CN 110113435A
- Authority
- CN
- China
- Prior art keywords
- safeguard
- network
- attack traffic
- attack
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1036—Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
Abstract
The invention discloses a kind of methods and apparatus of flow cleaning, it is related to field of communication technology, to solve the problems, such as at present can only separately through local network safeguard or cloud device protecting to attack traffic, the method of the present invention includes: Network Traffic Monitoring equipment after detecting attack traffic, determines the size of the attack traffic;The Network Traffic Monitoring equipment determines the safeguard cleaned to the attack traffic according to the size of the attack traffic and the protective capacities of safeguard, wherein the safeguard includes local network safeguard and cloud network safeguard, and the protective capacities of the safeguard indicates the ability that the safeguard protects attack traffic and cleans;The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard, since the present invention can select to realize intelligentized flow cleaning to safeguard according to the size of attack traffic and the protective capacities of safeguard.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of method and apparatus of flow cleaning.
Background technique
With the arrival of internet 2.0, network more depth and people's lives weave in.Network security
Importance it is more significant, as the type of domestic and international network attack emerges one after another the surge with attack traffic, gradually rise
A kind of flow cleaning technology detects and controls attack traffic, to ddos attack (Distributed Denial of
Service, distributed denial of service attack) and network intrusions monitoring have the effect of it is splendid.
The principle of flow cleaning is after finding attack, by changing flow routing direction, by flow lead
Attack traffic is cleaned to local network safeguard or cloud network safeguard, is later recycled into normal discharge
In network.
Although being constrained to bandwidth and increasing however, the local protection of simple tradition can accomplish fine flow cleaning
Add the cost of local safeguard, it is difficult to protect the attack of big flow;Although and the protectiving scheme in cloud can defend super large stream
The attack of amount, but protect granularity not fine enough, it is difficult to optimize specific protectiving scheme for different client, therefore effect is not yet
It is very ideal.
In conclusion can only be realized at present separately through network protection equipment or cloud safeguard to attack traffic
It is protected, the advantage using the two is unable to fully, to preferably be protected.
Summary of the invention
The present invention provides a kind of method and apparatus of flow cleaning, can only realize at present to solve to exist in the prior art
The protection that carries out of attack traffic is unable to fully utilize the two advantage separately through network protection equipment or cloud safeguard
The problem of.
In a first aspect, a kind of method of flow cleaning provided in an embodiment of the present invention includes:
Network Traffic Monitoring equipment determines the size of the attack traffic after detecting attack traffic;
The Network Traffic Monitoring equipment is determined according to the size of the attack traffic and the protective capacities of safeguard
To the safeguard that the attack traffic is cleaned, wherein the safeguard includes local network safeguard and cloud net
Network safeguard, the protective capacities of the safeguard indicate the energy that the safeguard protects attack traffic and cleans
Power;
The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard.
The above method can since safeguard of the present invention includes local network safeguard and cloud network safeguard
To select the safeguard cleaned to attack traffic according to the protective capacities of the size of attack traffic and safeguard, lead to
Cross Network Traffic Monitoring equipment and carry out the selection of intelligent network protection module, thus be no longer separately through network protection equipment or
Cloud safeguard is protected attack traffic, compared to the scheme cleaned separately through local or cloud, more
Efficiently utilize the cleaning resource in local and cloud, and with more flow attacking network, the protection energy of safeguard
Power and cleaning ability can be gradually reduced, and the size and safeguard for considering attack traffic when selecting safeguard are to attack
The ability that flow is protected and cleaned, the safeguard cleaned to the attack traffic selected is more excellent, therefore clear
Wash better effect.
In one possible implementation, the Network Traffic Monitoring equipment according to the size of the attack traffic and
The protective capacities of safeguard determines the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges according to the size of the attack traffic and the protective capacities of safeguard
Whether the local network safeguard that meets cleaning condition is had;
If so, then the Network Traffic Monitoring equipment is selected from the local network safeguard for meeting cleaning condition
At least one local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least from the cloud network safeguard for meeting the cleaning condition
One cloud network safeguard is as the safeguard cleaned to the attack traffic.
The above method, for lesser attack traffic, preferably local network safeguard, because of local network safeguard
Protection fineness ratio cloud network safeguard it is high, different prevention policies can be chosen for different clients so as to reality
Now finer cleaning, when attack traffic is larger, local network safeguard is limited to the limitation of bandwidth, selects cloud at this time
End network protection equipment cleans attack traffic, further, since the safeguard cleaned to attack traffic needs completely
Sufficient cleaning condition realizes the effective use of cleaning resource, in local network so as to realize more efficient flow cleaning
Using local cleaning resource when protection module ability abundance, carried out when locally cleaning inadequate resource is to deal with using cloud resource
Protection.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
The above method, as more flow attacking, the protective capacities and cleaning ability of safeguard can be gradually reduced, root
After determining protection parameter and cleaning parameters according to the protection of safeguard and cleaning ability, the protection energy to safeguard may be implemented
The quantificational expression of power, cleaning ability, and then maximum protection flow threshold of the size no more than safeguard of attack traffic is chosen,
It protects parameter to be less than protective capacities utilization rate threshold value, cleaning parameters less than cleaning ability utilization rate threshold value, is selected by above-mentioned condition
The safeguard selected is more excellent.
In one possible implementation, the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination,
So as to carry out the shared of prevention policies between the local network safeguard and cloud network safeguard.
The above method, by prevention policies synchronic command trigger local network safeguard and cloud network safeguard it
Between carry out the shared of prevention policies, cloud network safeguard can be made to obtain and finer except self-protection strategy in addition to prevented
Shield strategy, to be that cloud network protection sets and realizes that choosing different prevention policies to different clients cleans attack traffic, enhancing
The protection granularity of cloud network safeguard is shared prevention policies by cleaning in local and cloud, is conducive between resource
Realization prevention policies optimization makes full use of progress prevention policies between each local cleaning resource and cloud cleaning resource shared,
So that prevention policies are more intelligent, it is easy to implement efficient attack traffic cleaning.
Second aspect, a kind of method of flow cleaning provided in an embodiment of the present invention include:
Cloud network safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
The cloud network safeguard cleans the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud to the attack traffic by the cloud network safeguard
Network protection equipment is held, the safeguard includes local network safeguard and cloud network safeguard, the protection
The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans.
The above method, since attack traffic is in Network Traffic Monitoring equipment according to the size of the attack traffic and anti-
The protective capacities of shield equipment, which is determined, carries out what cleaning rear haulage came to attack traffic by cloud network safeguard, such case
Under, the cleaning effect of local network safeguard is not so good as cloud, and the clear of big flow may be implemented in cloud network safeguard
It washes, therefore triggers cloud safeguard and open cleaning, to being set separately through network protection equipment or cloud protection
Standby protecting to attack traffic.
In one possible implementation, the cloud network safeguard cleans the attack traffic, packet
It includes:
The cloud network safeguard selects and the target of attack IP of the attack traffic in prevention policies set
The corresponding prevention policies in (Internet Protocol, Internet protocol) address;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
The above method, cloud network safeguard is when cleaning attack traffic, no longer only according to the anti-of itself
Shield strategy, but prevention policies corresponding with the target of attack IP address of the attack traffic are selected from prevention policies set,
It realizes and chooses the flow cleaning that different prevention policies are more refined for different clients, enhance cloud network
The protection granularity of safeguard realizes efficient attack traffic cleaning.
In one possible implementation, the cloud network safeguard selected in prevention policies set with it is described
Before the corresponding prevention policies of target of attack IP address of attack traffic, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and will be described anti-
Shield strategy is added to the prevention policies set.
The above method, local network safeguard send prevention policies, cloud network protection to cloud network safeguard
Equipment is integrated into prevention policies set after receiving the shared prevention policies of local network safeguard, to enrich cloud
The prevention policies for holding network protection equipment, are no longer single self-protection strategies, convenient for improving cloud network safeguard
Protect granularity.
The third aspect, a kind of equipment of flow cleaning provided in an embodiment of the present invention include: at least one processing unit with
And at least one storage unit, wherein the storage unit is stored with program code, when said program code is single by the processing
When member executes, so that the processing unit executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
It is determined according to the size of the attack traffic and the protective capacities of safeguard and the attack traffic is carried out clearly
The safeguard washed, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection
The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
In one possible implementation, the processing unit is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition
Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition
Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition
As the safeguard cleaned to the attack traffic.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
In one possible implementation, the processing unit is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects
The shared of prevention policies is carried out between equipment and cloud network safeguard.
Fourth aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: at least one processing
Unit and at least one storage unit, wherein the storage unit is stored with program code, when said program code is described
When processing unit executes, so that the processing unit executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
In one possible implementation, the processing unit is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
In one possible implementation, the processing unit is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set,
The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection
It closes.
5th aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: uninterrupted detection
Module, safeguard selecting module and flow lead module:
Uninterrupted detection module, for after detecting attack traffic, determining the size of the attack traffic;
Safeguard selecting module, for being determined according to the size of the attack traffic and the protective capacities of safeguard
To the safeguard that the attack traffic is cleaned, wherein the safeguard includes local network safeguard and cloud net
Network safeguard, the protective capacities of the safeguard indicate the energy that the safeguard protects attack traffic and cleans
Power;
Flow lead module, for drawing the attack traffic to determining safeguard.
In one possible implementation, the safeguard selecting module is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition
Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition
Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition
As the safeguard cleaned to the attack traffic.
In one possible implementation, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
In one possible implementation, the flow lead module is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects
The shared of prevention policies is carried out between equipment and cloud network safeguard.
6th aspect, the embodiment of the present invention also provide a kind of equipment of flow cleaning, which includes: receiving module and stream
Measure cleaning module:
Receiving module: the attack traffic drawn by Network Traffic Monitoring equipment is received;
Flow cleaning module: for being cleaned to the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
In one possible implementation, the flow cleaning module is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
In one possible implementation, the receiving module is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set,
The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection
It closes.
7th aspect, the application also provide a kind of computer storage medium, are stored thereon with computer program, the program quilt
The step of first aspect the method is realized when processing unit executes.
In addition, second aspect technical effect brought by any implementation into the 6th aspect can be found in first party
Technical effect brought by different implementations in face, second aspect, details are not described herein again.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is a kind of system schematic of flow cleaning provided in an embodiment of the present invention;
Fig. 2A is a kind of flow cleaning schematic device provided in an embodiment of the present invention;
Fig. 2 B is that a kind of module provided in an embodiment of the present invention divides schematic diagram;
Fig. 2 C is that another module provided in an embodiment of the present invention divides schematic diagram;
Fig. 3 A is a kind of network topology schematic diagram of flow cleaning device provided in an embodiment of the present invention;
Fig. 3 B is a kind of Network Traffic Monitoring module implementation procedure schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of method schematic diagram of flow cleaning provided in an embodiment of the present invention;
Fig. 5 is the method schematic diagram of another flow cleaning provided in an embodiment of the present invention;
Fig. 6 is a kind of complete method schematic diagram of flow cleaning provided in an embodiment of the present invention;
Fig. 7 is the complete method schematic diagram of another flow cleaning provided in an embodiment of the present invention;
Fig. 8 is the first Network Traffic Monitoring equipment schematic diagram provided in an embodiment of the present invention;
Fig. 9 is the first cloud network safeguard schematic diagram provided in an embodiment of the present invention;
Figure 10 is second of Network Traffic Monitoring equipment schematic diagram provided in an embodiment of the present invention;
Figure 11 is second of cloud network safeguard schematic diagram provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
It is described in detail to one step, it is clear that the described embodiments are only some of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
All other embodiment, shall fall within the protection scope of the present invention.
The some words occurred in text are explained below:
1, term "and/or" in the embodiment of the present invention describes the incidence relation of affiliated partner, indicates that there may be three kinds of passes
System, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Character "/" one
As indicate forward-backward correlation object be a kind of "or" relationship.
2, term " attack traffic " Network Attack in the embodiment of the present invention is the data flow that network attack generates, net
Network attack (Cyberattack is also translated into the rich attack of match) refers to for computer information system, infrastructure, computer network
Or PC device, any kind of attack movement.In computer and computer network, destroy, disclose, modifying,
The data for making software or service lose function, in the case where no authorized steal or access any computer, all can
It is considered as the attack in computer and computer network.
The application scenarios of description of the embodiment of the present invention are the technical solutions in order to more clearly illustrate the embodiment of the present invention,
The restriction for technical solution provided in an embodiment of the present invention is not constituted, those of ordinary skill in the art are it is found that with newly answering
With the appearance of scene, technical solution provided in an embodiment of the present invention is equally applicable for similar technical problem.Wherein, at this
In the description of invention, unless otherwise indicated, the meaning of " plurality " is two or more.
Flow lead technology is proposed to defend Large Scale DDoS Attack and avoid Single Point of Faliure problem.It is initially anti-
Imperial ddos attack is completed by the anti-DDoS module on firewall.However, even if outstanding firewall product again, above
The defence capability of anti-DDoS module is all weaker.Therefore, in order to improve the defence capability of ddos attack, arrangement is special in a network
Equipment for defending DDoS (Distributed Denial of Service) attacks.Assuming that a certain server in network, by ddos attack, flow lead technology is exactly will
The flow lead of the server is sent into network dedicated for the equipment of defending DDoS (Distributed Denial of Service) attacks, remaining normal discharge is according to original
The forward-path come is transmitted.
Wherein, the equipment in network dedicated for defending DDoS (Distributed Denial of Service) attacks is also known as flow cleaning equipment.Flow cleaning equipment
Major function is traction, cleaning and re-injection.Traction, which refers to, is forwarded to stream for the flow for being sent to server by ddos attack
Measure cleaning equipment;Cleaning refer to flow cleaning equipment by the flow received containing the traffic interception of ddos attack;Re-injection is
Refer to that normal discharge by after the traffic interception containing ddos attack, is forwarded back to router by flow cleaning equipment again.
In the prior art, attack traffic is cleaned and is mainly returned by flow detection, flow lead, flow cleaning, flow
4 stages of note, such as:
1) flow detection: can detect specified flow by modes such as mirror image, light splitting and be detected, and detect whether as attack
Flow.
2) flow lead: after detecting attack traffic, pass through BGP (Border Gateway Protocol, borde gateway
Agreement) modes such as dynamic routing protocol need to customer flow to be protected be drawn in flow cleaning equipment and protected.
3) flow cleaning: flow cleaning equipment carries out attack recognition after receiving the flow that traction comes, using profession
DDoS guard technology carries out flow cleaning to attack message.
4) flow re-injection: after completing cleaning, the normal discharge after cleaning is recycled into user network by flow cleaning equipment.
Therefore the embodiment of the present invention proposes a kind of intelligent flow cleaning scheme, can be according to attack type and attack traffic
Size and the remaining protective capacities of protection module intelligently carry out flow cleaning, accomplish intelligent protection.Compared with prior art, this hair
The bright effective use for realizing cleaning resource, in local protection module ability abundance using local cleaning resource, when local clear
It is protected when washing inadequate resource to deal with using cloud resource;
For above-mentioned scene, the embodiment of the present invention is described in further detail with reference to the accompanying drawings of the specification.
As shown in Figure 1, the method for the flow cleaning of the embodiment of the present invention, system includes: 10 He of Network Traffic Monitoring equipment
Cloud network safeguard 20.
Network Traffic Monitoring equipment 10, for after detecting attack traffic, determining the size of the attack traffic;Root
Determine that the protection cleaned to the attack traffic is set according to the size of the attack traffic and the protective capacities of safeguard
It is standby, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection of the safeguard
Ability indicates the ability that the safeguard protects attack traffic and cleans;The attack traffic is drawn to determining
Safeguard.
Cloud network safeguard 20, for receiving the attack traffic drawn by Network Traffic Monitoring equipment;It is attacked to described
Flow is hit to be cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Through the above scheme, since safeguard of the present invention includes that local network safeguard and cloud network protection are set
It is standby, it can be set according to the protection that attack traffic is cleaned in the size of attack traffic and the protective capacities selection of safeguard
It is standby, the selection of intelligent network protection module is carried out by Network Traffic Monitoring equipment, to being set separately through network protection
Standby or cloud safeguard protects attack traffic, compared to the scheme cleaned separately through local or cloud,
The cleaning resource in local and cloud is more efficiently utilized, and with the increase etc. of safeguard wash number, protection is set
Standby protective capacities and cleaning ability can gradually change, and the size and protection of attack traffic are considered when selecting safeguard
The ability that equipment is protected attack traffic and cleaned, the safeguard cleaned to the attack traffic selected is more
It is excellent, therefore cleaning effect is more preferably.
In embodiments of the present invention, Network Traffic Monitoring equipment real time monitoring network flow, when detecting attack traffic,
The then safeguard that decision cleans attack traffic.
In embodiments of the present invention, Network Traffic Monitoring equipment, cloud network safeguard and local network safeguard
Number be respectively at least one, such as a Network Traffic Monitoring equipment, a cloud network safeguard, a local network
Network safeguard.
Optionally, it is based on above content, the embodiment of the present invention provides a kind of device of attack traffic cleaning, including network flow
Monitoring modular 200 is measured, local network protection module 201, cloud network protection module 202, as shown in Figure 2 A, one of them is local
Network protection module can only include a local network safeguard, also may include multiple local network safeguards, cloud
It holds network protection module also identical, can only include a cloud network safeguard, it is anti-also to may include multiple cloud networks
Equipment is protected, furthermore the number of Network Traffic Monitoring module, local network protection module and cloud network protection module is also respectively
At least one.
Wherein, local network protection module is deployed in local network inlet, for disengaging local network flow into
Row cleaning, the general capacity that cleans is in the order of magnitude of tens Gbps.
Network Traffic Monitoring module is used to monitor the flow of local network ingress router or switching equipment, receives multiple nets
The message of network protection module, and the flow lead strategy based on safeguard protective capacities is configured, detecting attack traffic
When, calculate the protection parameter and cleaning parameters of each network protection module in real time, according to circumstances determine be directly to router or
Switching equipment sends traction routing, and attack traffic is drawn to local network protection module and is cleaned;Or it is drawn in routing
Mode under, to upper layer Network Traffic Monitoring module (Network Traffic Monitoring module corresponding with cloud) send notice, by upper
The Network Traffic Monitoring module of layer triggers flow lead to the cloud network protection module on upper layer;Or the case where DNS is drawn
Under, by sending traction notice to DNS configuration server, it is anti-to cloud network that flow is drawn by way of modifying DNS entry
Protect module.Simultaneously from local network protection module to cloud network protection module it is shared include attacked IP, the traction retention time,
The attack type detected, the prevention policies information attacked including prevention policies used, network protection module is drawn beyond the clouds
Attack type, the prevention policies sent while attacked the attack traffic of IP according to local network protection module carry out intelligently
Prevention policies optimization, accomplish local and cloud linkage, more efficiently and intelligently carry out flow cleaning.
Specifically, Network Traffic Monitoring equipment is according to the size of attack traffic and determining pair of the protective capacities of safeguard
The detailed process for the safeguard that attack traffic is cleaned is as follows:
Network Traffic Monitoring equipment judges whether there is full according to the size of attack traffic and the protective capacities of safeguard
The local network safeguard of sufficient cleaning condition;If so, then Network Traffic Monitoring equipment is from the local network for meeting cleaning condition
Network safeguard selects at least one local network safeguard as the safeguard cleaned to attack traffic;Otherwise,
Network Traffic Monitoring equipment selects at least one cloud network safeguard from the cloud network safeguard for meeting cleaning condition
As the safeguard cleaned to attack traffic.
Wherein, cleaning condition are as follows:
The size of attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard
Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines
Clean peak threshold.
For example, Network Traffic Monitoring equipment detects that size is the attack traffic of 10Gbps, 4 safeguards are shared, point
Not Wei local network safeguard A, local network safeguard B, cloud network safeguard C, cloud network safeguard D,
Wherein Network Traffic Monitoring equipment can receive the protective capacities that each safeguard reports, or according on each safeguard
The protective capacities index of report calculates the protective capacities of each safeguard.
Assuming that cleaning peak threshold is 90%, protective capacities utilization rate threshold value is 80%, local network safeguard A is most
Big protection flow threshold is 10Gbps, and the maximum protection flow threshold of local network safeguard B is 15Gbps, and cloud network is anti-
The maximum protection flow threshold for protecting equipment A is 30Gbps, and the maximum protection flow threshold of cloud network safeguard B is
50Gbps, the protection parameter and cleaning parameters of this 4 safeguards are all 0, and Network Traffic Monitoring equipment is by judging that determination has
Meet the local network safeguard of cleaning condition, is local network safeguard A and local network safeguard B, then from this
Select at least one as being cleaned to this attack traffic in ground network safeguard A and local network safeguard B
Safeguard.
If the attack traffic size that Network Traffic Monitoring equipment detects is 20Gbps, do not meet cleaning condition at this time
Local network safeguard, thus Network Traffic Monitoring equipment selected in the cloud network safeguard for meeting cleaning condition to
Few one as the safeguard cleaned to the attack traffic, it is assumed that the cloud network safeguard for meeting cleaning condition is
Cloud network safeguard A and cloud network safeguard B then selects at least one i.e. in network protection equipment A and B beyond the clouds
It can.
In embodiments of the present invention, intelligentized network protection module is carried out by Network Traffic Monitoring module to select,
It is directly cleaned locally when local network protection module resource abundance;When being more than local protective capacities, it is switched to more
The cloud network protection module of ability realizes the effective use of cleaning resource.
In embodiments of the present invention, before being cleaned by cloud network safeguard to attack traffic, cloud network
Safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
Wherein, attack traffic is Network Traffic Monitoring equipment according to the size of attack traffic and the protection energy of safeguard
Power, which is determined, carries out cleaning rear haulage to cloud network safeguard, safeguard to attack traffic by cloud network safeguard
Including local network safeguard and cloud network safeguard, the protective capacities of safeguard indicates safeguard to attack stream
Measure the ability protected and cleaned.
In embodiments of the present invention, network protection module is divided into local and cloud for cleaning to Network Attack
End optionally can carry out more careful division to local (or cloud) protection module, and there are many kinds of division modes, below
Enumerate two kinds:
Division mode one is divided by function;
For example, local and/or cloud network protection module are divided into anti-DDoS module, anti-CC (Challenge
Collapsar) module, WAF (Web Application Firewall, website application layer intrusion prevention system) protection module
Deng as shown in Figure 2 B.
Division mode two presses customized protection regular partition;
For example, public protection module and customized protection module are divided into, wherein customized protection module can be used for solving
The special protection requirements of some customization as shown in Figure 2 C divide local (cloud) network protection module for 3 modules,
Respectively public protection module, customized protection module 1, customized protection module 2.
It should be noted that cited division mode is merely illustrative in embodiments of the present invention, it is any right
The mode that local and/or cloud network protection module are divided is suitable for the embodiment of the present invention.
In embodiments of the present invention, the protective capacities of network protection module can protective capacities index table as shown in Table 1
Show, including attack peak flow, the attack concurrent connection number, CPU, memory etc. that can be protected, local network protection module it is total
Protective capacities is lower than cloud network protection module.
Parametric classification | Score value | Weight | It summarizes |
CPU | S1 | α | CPU frequency, nucleus number, cache size, utilization rate |
Memory | S2 | β | Memory size, utilization rate |
Clean flow | S3 | γ | Protection module cleans total flow |
Attack concurrent total connection number | S4 | δ | Protection module has total connection number |
1 protective capacities indicator-specific statistics table of table
The protective capacities score value of network protection modules A 1 is then calculated by following equation:
C1=α * S1 (A1)+β * S2 (A1)+γ * S3 (A1)+δ * S4 (A1)
Assuming that C1totalIndicate total score, i.e. initial value (point when the concurrent total connection number of network protection module attack is 0
Value), total score C1total=100, it can adjust the score value (i.e. weight) of each parameter score value and weighting coefficient according to the actual situation, it is ensured that
Initial total score is all 100, and with the variation of the parameters such as the concurrent total connection number of network protection module attack, score value can gradually be lower than
100 points, i.e. C1 can be gradually reduced with the access times of network protection module.
In embodiments of the present invention, protection parameter is determined according to the protective capacities of safeguard, network protection module
Protection parameter be then by the network protection module all safeguards total protective capacities determine.It optionally, can be with
Using the protective capacities utilization rate of network protection module as protection parameter.
For example, indicating the protective capacities utilization rate of network protection modules A 1 with R1:
R1Protective capacities=1-C1used/100
Wherein, C1usedIndicate the variation with network protection modules A 1 with parameters such as the concurrent total connection numbers of attack, again
The protective capacities score value of calculated network protection modules A 1, C1 under original stateused=C1total=100;R1 is said closer to 1
The load of bright network protection module is higher, closer to saturation.
Simultaneously, it is contemplated that attack traffic is an important indicator, therefore definition cleaning utilization rate in embodiments of the present invention
(i.e. cleaning parameters), cleaning parameters are equal to the ratio of used cleaning capacity and total cleaning capacity, R1Clean capacity=S3
(A1)used/S3(A1)total。
In embodiments of the present invention, when in network protection module including multiple safeguards, S3 (A1)usedThen indicating should
The total score of all used cleaning capacity of safeguard, S3 (A1) in network protection moduletotalI.e. all safeguards are clear
Wash the total score of capacity.
For example, including two safeguards in network protection modules A 1, it is respectively as follows: safeguard b1, safeguard b2, example
Such as, the cleaning capacity score value of safeguard b1 and b2 is respectively 100, then total cleaning capacity score value is the used cleaning of 200, b1
The score value that capacity is 50% is that the score value of the used cleaning capacity of 50, b2 is 50, then the used cleaning capacity of b1 and b2
Total score is 100, i.e. S3used=100, S3total=200, shown R1Clean capacity=S3 (A1)used/S3(A1)total=50%.
In embodiments of the present invention, when in network protection module including multiple safeguards, C1used、C1totalCalculating
Mode and S3 (A1)used、S3(A1)totalCalculation be same principle.That is C1usedIt then indicates in the network protection module
The total score of all used protective capacities of safeguard, C1totalThe total score of i.e. all safeguard protective capacities.
In embodiments of the present invention, network protection module is periodically each shown in report 1 in Network Traffic Monitoring module
The current value of a parameter is calculated the protection parameter of each network protection module by Network Traffic Monitoring module and cleaning is joined
Number.
For example, report cycle is T, the parameters current value that network protection modules A 1 reports at the t=T moment are as follows: S1=
85, S2=86, S3=87, S4=88;In the parameters current value that the t=2T moment reports are as follows: S1=75, S2=74, S3=
73, S4=72.
After Network Traffic Monitoring module detects attack traffic, Network Traffic Monitoring module can consider existing simultaneously
The protective capacities of attack traffic size and network protection module come determine to select which network protection module to attack traffic carry out
Cleaning.
Optionally, Network Traffic Monitoring module, can also in the network protection module that decision cleans attack traffic
To consider the attack type of attack traffic while considering the protective capacities of attack traffic size and network protection module, so as to
Further select the network protection equipment for being more applicable for the attack type to realize more efficient protection, for example, attack stream
When the type of amount is DDoS, then it can choose the anti-DDoS module in local or cloud and the attack traffic cleaned.
In embodiments of the present invention, cloud network protection module can be divided into two major classes according to mode of traction: one kind is more
The backbone network on upper layer is realized by routing traction, such as the Special cleaning resource computer room of operator's construction;Another kind of is to pass through DNS
(Domain Name System, domain name system) traction is realized, using the anti-computer room of height of internet manufacturer as representative.
As shown in Figure 3A, it is assumed that now with 2 Network Traffic Monitoring modules As and B, 3 network protection modules As, B1, B2,
Wherein network protection modules A is local network protection module, and maximum protection flow threshold is 20Gbps, two cloud network protection
The maximum protection flow threshold of module B1 and B2 are 100Gbps and 1Tbps respectively, and protective capacities utilization rate threshold value is 80%, clearly
Peak threshold 90% is washed, wherein cloud network protection B2 is drawn by DNS mode.
It describes in detail below to the process of Network Traffic Monitoring module selection network protection module, as shown in Figure 3B:
Step 1:(initial phase) 3 network protection modules to 2 Network Traffic Monitoring modules send respective protection
Capacity index;
Step 2: Network Traffic Monitoring modules A detects attack traffic (attack traffic size is 10Gbps at present), calculates
It was found that protection parameter < 80% of local network protection module A, and cleaning parameters < 90%, directly select local network protection module
A carries out flow cleaning, and continues to monitor attack traffic;
Step 3: Network Traffic Monitoring modules A detects attack traffic 10Gbps again, and local network protection module A's is anti-
Protecting parameter is more than 80%, and the protection parameter of two cloud network protection modules and cleaning parameters are respectively less than corresponding threshold value, excellent
The small protection module B1 of first selection cleaning capacity is cleaned, and is sent traction instruction and is given flow monitoring module B, by flow monitoring mould
Block B initiates flow lead, is saving dry traction flow to cloud network protection module B1, and continue to monitor attack traffic;
Step 4: Network Traffic Monitoring module B detects attack traffic 90Gbps, the cleaning of cloud network protection module B1
Parameter reaches 90%, and the protection parameter of cloud network protection module B2 and cleaning parameters are respectively less than corresponding threshold value, and transmission is led
Draw instruction to DNS configuration server, flow lead to cloud network protection module B2 is carried out clearly in such a way that DNS is drawn
It washes.
In embodiments of the present invention, threshold value and step in being described above can be according to circumstances adjusted, practical feelings
Condition is possible to directly skip step 2,3, cloud network protection module may also be all based on routing traction or DNS traction.
Optionally, Network Traffic Monitoring module can be synchronous by prevention policies while drawing to attack traffic
Instruction triggers local network protection module and cloud network protection module share prevention policies information, realize more efficiently flow
Cleaning.
For example, Network Traffic Monitoring module is when drawing attack traffic or periodically to local and/or cloud network
Protection module sends prevention policies synchronic command, so that sharing prevention policies between cloud network protection module local and at different levels.
Optionally, cloud network protection module will protect plan after receiving the prevention policies that local network protection module is sent
Slightly it is added in prevention policies set, is selected in prevention policies set corresponding with the target of attack IP address of attack traffic anti-
Shield strategy, cleans attack traffic according to the prevention policies selected.
For example, the prevention policies of cloud network protection module 1 itself are prevention policies 1, the cloud network protection module is first
2 shared prevention policies of local network protection module 1, respectively prevention policies 2, prevention policies 3 are received afterwards, and local
The shared prevention policies 4 of network protection module 2, and this 3 prevention policies are added in prevention policies set, network flow prison
After attack traffic is drawn to cloud network protection module 1 by survey module, cloud network protection module 1 selects in prevention policies set
It is corresponding with the target ip address of the attack traffic 2 prevention policies are selected out, respectively prevention policies 2 and prevention policies 4, in cloud
When end network protection module 1 cleans attack traffic according to the prevention policies selected, according to prevention policies 2 or it can prevent
Tactful 4 pairs of attack traffics are protected to clean, it can also be according to prevention policies 2 and/or prevention policies 4, in conjunction with the reality of attack traffic
Border situation optimizes the prevention policies 1 of the module itself, is carried out using the prevention policies 1 after optimization to attack traffic clear
It washes.
Optionally, after network protection module cleans attack traffic beyond the clouds, cloud network protection module can be with
Prevention policies 1 after optimization are shared into local network protection module so that local network protection module according to receive by
The prevention policies that cloud network protection module is sent, optimize the prevention policies of local network protection module itself, realize
The mutual study of prevention policies between cloud and local network protection module.
It should be noted that cloud network protection module cited in the embodiment of the present invention is according in prevention policies set
The mode that prevention policies corresponding with the target ip address of attack traffic clean attack traffic is merely illustrative, any
The mode that a kind of corresponding prevention policies of target ip address according to attack traffic clean attack traffic is suitable for this
Inventive embodiments.
As shown in figure 4, provided in an embodiment of the present invention is a kind of method of flow cleaning, specifically includes the following steps:
Step 400, Network Traffic Monitoring equipment determine the size of the attack traffic after detecting attack traffic;
Step 401, the Network Traffic Monitoring equipment are according to the size of the attack traffic and the protection of safeguard
Ability determines the safeguard cleaned to the attack traffic, wherein the safeguard includes local network safeguard
With cloud network safeguard, the protective capacities of the safeguard indicate the safeguard to attack traffic carry out protection and
The ability of cleaning;
Step 402, the Network Traffic Monitoring equipment draw the attack traffic to determining safeguard.
Optionally, the Network Traffic Monitoring equipment is according to the size of the attack traffic and the protection energy of safeguard
Power determines the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges according to the size of the attack traffic and the protective capacities of safeguard
Whether the local network safeguard that meets cleaning condition is had;
If so, then the Network Traffic Monitoring equipment is selected from the local network safeguard for meeting cleaning condition
At least one local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least from the cloud network safeguard for meeting the cleaning condition
One cloud network safeguard is as the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
Optionally, the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination,
So as to carry out the shared of prevention policies between the local network safeguard and cloud network safeguard.
As shown in figure 5, provided in an embodiment of the present invention is a kind of method of flow cleaning, specifically includes the following steps:
Step 500, cloud network safeguard receive the attack traffic drawn by Network Traffic Monitoring equipment;
Step 501, the cloud network safeguard clean the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud to the attack traffic by the cloud network safeguard
Network protection equipment is held, the safeguard includes local network safeguard and cloud network safeguard, the protection
The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans.
Optionally, the cloud network safeguard cleans the attack traffic, comprising:
The cloud network safeguard is selected with the target of attack IP of the attack traffic in prevention policies set
The corresponding prevention policies in location;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
Optionally, the cloud network safeguard selects and the attack mesh of the attack traffic in prevention policies set
Before the corresponding prevention policies of mark IP address, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and will be described anti-
Shield strategy is added to the prevention policies set.
Below for by a Network Traffic Monitoring module, a local network protection module and a cloud network protection
The system of module composition lists two specific embodiments and the method for attack flow cleaning is described in detail.
Embodiment one:
Assuming that attack traffic is smaller at the beginning, less than the maximum protection flow threshold of local network protection module, drawn
To local network protection module, the maximum protection flow threshold more than local network protection module is increased in attack process
Value, therefore the traction of traction to cloud network protection module is triggered, and flow is gone into server by former link, and in local network
Prevention policies are shared between network protection module and cloud network protection module, as shown in fig. 6, detailed process is as follows:
Step 600, Network Traffic Monitoring module detect the attack traffic for target ip address (s), pass through inside stream
Amount analysis module analyzes and determines that triggering routing is drawn to local network protection module and carries out flow cleaning;
Step 601, local network protection module carry out flow cleaning according to local prevention policies, are passed back to after the completion of cleaning
Former server;
Step 602, Network Traffic Monitoring module detect that attack traffic peak value size has been more than local network protection module
Maximum protection flow threshold, be triggered to cloud network protection module and protected, while being sent to local network protection module
Prevention policies synchronic command;
Step 603, local network protection module receive the prevention policies synchronic command of Network Traffic Monitoring module, band
The prevention policies of the information such as target of attack IP address (s) are synchronized to cloud network protection module;
Step 604, cloud network protection module combine local prevention policies and actual attack flow analysis to optimize itself
Prevention policies carry out cleaning operation to flow, and periodically corresponding local network protection module carries out with destination IP (s)
Prevention policies are shared;
After step 605, cloud network protection module detect that attack stops, triggering flow returns to former destination IP (s).
Embodiment two:
Assuming that attack traffic has been more than the maximum protection flow threshold of local network protection module at the very start, therefore one opens
Beginning attack traffic will be drawn to cloud network protection module, and cloud network protection module is learnt by oneself by analytical attack flow
The prevention policies for practising optimization itself clean attack traffic, and the prevention policies after optimization are synchronized back local network and are prevented
Module is protected, the certain time after attack stops, flow goes to server by former link, as shown in fig. 7, detailed process is as follows:
Step 700, Network Traffic Monitoring module analyze external flow in real time, attack traffic are detected, by interior
Portion's flow analysis module analysis judges that attack traffic peak value is more than the maximum protection flow threshold of local network protection module, triggering
The traction of cloud network protection module;
Step 701, Network Traffic Monitoring module draw attack traffic to cloud network protection module;
Step 702, cloud network protection module carry out cleaning operation to flow by the prevention policies of itself, and detect
Attack stops, and triggering flow returns to former destination IP (s);
Step 703, cloud network protection module receive the prevention policies synchronic command that Network Traffic Monitoring module is sent, and
The corresponding local network protection module of the destination IP (s) of attack traffic carries out prevention policies sharing.
In embodiments of the present invention, for the cloud network protection module of different traction models, flow lead and stream are carried out
It is different to measure injected mode, for step 602 or step 701, divides following two situation:
Situation one, the cloud network protection module for routing traction model:
Network Traffic Monitoring module sends traction notice to the backbone routers on upper layer, and triggering routing traction is by attack mesh
IP address flow is marked to cloud network protection module.
Situation two, the cloud network protection module for DNS traction model:
Network Traffic Monitoring module, which is sent, to be had by the information including target of attack IP address, domain name, service port to cloud
Hold network protection module, the anti-IP of the corresponding height of cloud network protection module return and CNAME (Canonical NAME, canonical name
Word) corresponding dns server is given, the modification of DNS record is completed, to complete DNS traction by attack destination IP (s) flow to cloud
Hold network protection module.
For step 605 or step 702, also divide following two situation;
Situation one, the cloud network protection module for routing traction model:
It is discharged automatically after traction routes retention period, it is assumed that pull-in time t, then in network monitor equipment by attack stream
After amount traction to cloud network safeguard t time, flow is discharged automatically.
Situation two, the cloud network protection module for DNS traction model:
DNS switchback is sent by cloud network protection module to notify to complete corresponding destination IP (s) flow to dns server
Switching.
Based on identical inventive concept, a kind of Network Traffic Monitoring equipment is additionally provided in the embodiment of the present invention, due to this
Network Traffic Monitoring equipment is the Network Traffic Monitoring equipment in the method in the embodiment of the present invention, and the network flow is supervised
The principle that measurement equipment solves the problems, such as is similar to this method, therefore the implementation of the Network Traffic Monitoring equipment may refer to the reality of method
It applies, overlaps will not be repeated.
As shown in figure 8, the embodiment of the present invention also provides a kind of Network Traffic Monitoring equipment, which includes: at least one
Processing unit 800 and at least one storage unit 801, wherein the storage unit 801 is stored with program code, when described
When program code is executed by the processing unit 800, so that equipment executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
It is determined according to the size of the attack traffic and the protective capacities of safeguard and the attack traffic is carried out clearly
The safeguard washed, wherein the safeguard includes local network safeguard and cloud network safeguard, the protection
The protective capacities of equipment indicates the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
Optionally, the processing unit 800 is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition
Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition
Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition
As the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
Optionally, the processing unit 800 is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects
The shared of prevention policies is carried out between equipment and cloud network safeguard.
Based on identical inventive concept, a kind of cloud network safeguard is additionally provided in the embodiment of the present invention, due to this
Cloud network safeguard is the cloud network safeguard in the method in the embodiment of the present invention, and the cloud network is anti-
The principle that shield equipment solves the problems, such as is similar to this method, therefore the implementation of the cloud network safeguard may refer to the reality of method
It applies, overlaps will not be repeated.
As shown in figure 9, the embodiment of the present invention also provides a kind of cloud network safeguard, which includes: at least one
Processing unit 900 and at least one storage unit 901, wherein the storage unit 901 is stored with program code, when described
When program code is executed by the processing unit 900, so that equipment executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Optionally, the processing unit 900 is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
Optionally, the processing unit 900 is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set,
The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection
It closes.
Based on identical inventive concept, a kind of Network Traffic Monitoring equipment is additionally provided in the embodiment of the present invention, due to this
Network Traffic Monitoring equipment is the Network Traffic Monitoring equipment in the method in the embodiment of the present invention, and the network flow is supervised
The principle that measurement equipment solves the problems, such as is similar to this method, therefore the implementation of the Network Traffic Monitoring equipment may refer to the reality of method
It applies, overlaps will not be repeated.
As shown in Figure 10, the embodiment of the present invention also provides a kind of Network Traffic Monitoring equipment, which includes uninterrupted
Detection module 1000, safeguard selecting module 1001 and flow lead module 1002:
Uninterrupted detection module 1000: for after detecting attack traffic, determining the size of the attack traffic;
Safeguard selecting module 1001: for according to the size of the attack traffic and the protective capacities of safeguard
The safeguard cleaned to the attack traffic is determined, wherein the safeguard includes local network safeguard and cloud
Network protection equipment is held, the protective capacities of the safeguard indicates that the safeguard is protected and cleaned to attack traffic
Ability;
Flow lead module 1002: for drawing the attack traffic to determining safeguard.
Optionally, the safeguard selecting module 1001 is specifically used for:
It is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard and meets cleaning condition
Local network safeguard;
If so, then selecting at least one local network to protect from the local network safeguard for meeting cleaning condition
Equipment is as the safeguard cleaned to the attack traffic;
Otherwise, at least one cloud network safeguard is selected from the cloud network safeguard for meeting the cleaning condition
As the safeguard cleaned to the attack traffic.
Optionally, the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protection of safeguard
The protection parameter that ability determines is less than protective capacities utilization rate threshold value, and the cleaning parameters determined by the protective capacities of safeguard
Less than cleaning peak threshold.
Optionally, the flow lead module 1002 is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network protects
The shared of prevention policies is carried out between equipment and cloud network safeguard.
Based on identical inventive concept, a kind of equipment of flow cleaning is additionally provided in the embodiment of the present invention, since this sets
Standby is the equipment in method in the embodiment of the present invention, and the principle that the equipment solves the problems, such as is similar to this method, therefore
The implementation of the equipment may refer to the implementation of method, and overlaps will not be repeated.
As shown in figure 11, the embodiment of the present invention also provides a kind of equipment of flow cleaning, which includes: receiving module
1100 and flow cleaning module 1101:
Receiving module 1100: for receiving the attack traffic drawn by Network Traffic Monitoring equipment;
Flow cleaning module 1101: for being cleaned to the attack traffic;
Wherein, the attack traffic is size and protection of the Network Traffic Monitoring equipment according to the attack traffic
The protective capacities of equipment, which is determined, carries out cleaning rear haulage to the cloud net to the attack traffic by cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
Optionally, the flow cleaning module 1101 is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
Optionally, the receiving module 1100 is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set,
The prevention policies that the local network safeguard is sent are received, and the prevention policies are added to the prevention policies collection
It closes.
The embodiment of the present invention also provides a kind of computer-readable non-volatile memory medium, including program code, when described
For program code when running on computing terminal, said program code is for making the computing terminal execute the embodiments of the present invention
The step of method of flow cleaning.
Above by reference to showing according to the method, apparatus (system) of the embodiment of the present application and/or the frame of computer program product
Figure and/or flow chart describe the application.It should be understood that can realize that block diagram and or flow chart is shown by computer program instructions
The conjunction of the block of a block and block diagram and or flow chart diagram for figure.These computer program instructions can be supplied to general
Computer, the processor of special purpose computer and/or other programmable data processing units, to generate machine, so that via calculating
The instruction that machine processor and/or other programmable data processing units execute creates for realizing in block diagram and or flow chart block
The method of specified function action.
Correspondingly, the application can also be implemented with hardware and/or software (including firmware, resident software, microcode etc.).More
Further, the application can take computer usable or the shape of the computer program product on computer readable storage medium
Formula has the computer realized in the medium usable or computer readable program code, to be made by instruction execution system
It is used with or in conjunction with instruction execution system.In the present context, computer can be used or computer-readable medium can be with
It is arbitrary medium, may include, stores, communicates, transmits or transmit program, is made by instruction execution system, device or equipment
With, or instruction execution system, device or equipment is combined to use.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (14)
1. a kind of method of flow cleaning, which is characterized in that this method comprises:
Network Traffic Monitoring equipment determines the size of the attack traffic after detecting attack traffic;
The Network Traffic Monitoring equipment is determined according to the size of the attack traffic and the protective capacities of safeguard to institute
The safeguard that attack traffic is cleaned is stated, wherein the safeguard includes that local network safeguard and cloud network are anti-
Equipment is protected, the protective capacities of the safeguard indicates the ability that the safeguard protects attack traffic and cleans;
The Network Traffic Monitoring equipment draws the attack traffic to determining safeguard.
2. the method as described in claim 1, which is characterized in that the Network Traffic Monitoring equipment is according to the attack traffic
Size and the protective capacities of safeguard determine the safeguard cleaned to the attack traffic, comprising:
The Network Traffic Monitoring equipment judges whether according to the size of the attack traffic and the protective capacities of safeguard
There is the local network safeguard for meeting cleaning condition;
If so, then the Network Traffic Monitoring equipment selects at least from the local network safeguard for meeting cleaning condition
One local network safeguard is as the safeguard cleaned to the attack traffic;
Otherwise, the Network Traffic Monitoring equipment selects at least one from the cloud network safeguard for meeting the cleaning condition
Cloud network safeguard is as the safeguard cleaned to the attack traffic.
3. method according to claim 2, which is characterized in that the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard
Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines
Clean peak threshold.
4. the method as described in claim 1, which is characterized in that the method also includes:
The Network Traffic Monitoring device periodically sends prevention policies synchronic command to the safeguard of the determination, so that
The shared of prevention policies is carried out between the local network safeguard and cloud network safeguard.
5. a kind of method of flow cleaning, which is characterized in that this method comprises:
Cloud network safeguard receives the attack traffic drawn by Network Traffic Monitoring equipment;
The cloud network safeguard cleans the attack traffic;
Wherein, the attack traffic is size and safeguard of the Network Traffic Monitoring equipment according to the attack traffic
Protective capacities determine cleaning rear haulage carried out to the cloud net to the attack traffic by the cloud network safeguard
Network safeguard, the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans.
6. method as claimed in claim 5, which is characterized in that the cloud network safeguard carries out the attack traffic
Cleaning, comprising:
The cloud network safeguard selects and the target of attack Internet protocol of the attack traffic in prevention policies set
The corresponding prevention policies of IP address;
The cloud network safeguard cleans the attack traffic according to the prevention policies.
7. method as claimed in claim 6, which is characterized in that the cloud network safeguard selects in prevention policies set
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic, further includes:
The cloud network safeguard receives the prevention policies that the local network safeguard is sent, and by the protection plan
Slightly it is added to the prevention policies set.
8. a kind of equipment of flow cleaning, which is characterized in that the equipment includes: at least one processing unit and at least one is deposited
Storage unit, wherein the storage unit is stored with program code, when said program code is executed by the processing unit, makes
It obtains the processing unit and executes following process:
After detecting attack traffic, the size of the attack traffic is determined;
The attack traffic is cleaned according to the size of the attack traffic and the determination of the protective capacities of safeguard
Safeguard, wherein the safeguard includes local network safeguard and cloud network safeguard, the safeguard
Protective capacities indicate the ability that the safeguard protects attack traffic and cleans;
The attack traffic is drawn to determining safeguard.
9. equipment as claimed in claim 8, which is characterized in that the processing unit is specifically used for:
The local for meeting cleaning condition is judged whether there is according to the protective capacities of the size of the attack traffic and safeguard
Network protection equipment;
If so, then selecting at least one local network safeguard from the local network safeguard for meeting cleaning condition
As the safeguard cleaned to the attack traffic;
Otherwise, from the cloud network safeguard for meeting the cleaning condition select at least one cloud network safeguard as
The safeguard that the attack traffic is cleaned.
10. equipment as claimed in claim 9, which is characterized in that the cleaning condition are as follows:
The size of the attack traffic protects flow threshold no more than the maximum of safeguard, and by the protective capacities of safeguard
Determining protection parameter is less than protective capacities utilization rate threshold value, and is less than by the cleaning parameters that the protective capacities of safeguard determines
Clean peak threshold.
11. equipment as claimed in claim 8, which is characterized in that the processing unit is also used to:
Prevention policies synchronic command periodically is sent to the safeguard of the determination, so that the local network safeguard
The shared of prevention policies is carried out between cloud network safeguard.
12. a kind of equipment of flow cleaning, which is characterized in that the equipment include: at least one processing unit and at least one
Storage unit, wherein the storage unit is stored with program code, when said program code is executed by the processing unit,
So that the processing unit executes following process:
Receive the attack traffic drawn by Network Traffic Monitoring equipment;
The attack traffic is cleaned;
Wherein, the attack traffic is size and safeguard of the Network Traffic Monitoring equipment according to the attack traffic
Protective capacities determine by cloud network safeguard to the attack traffic carry out cleaning rear haulage to the cloud network prevent
Equipment is protected, the safeguard includes local network safeguard and cloud network safeguard, and the safeguard is prevented
Shield ability indicates the ability that the safeguard protects attack traffic and cleans.
13. equipment as claimed in claim 12, which is characterized in that the processing unit is specifically used for:
Prevention policies corresponding with the target of attack IP address of the attack traffic are selected in prevention policies set;
The attack traffic is cleaned according to the prevention policies.
14. equipment as claimed in claim 13, which is characterized in that the processing unit is also used to:
Before selecting prevention policies corresponding with the target of attack IP address of the attack traffic in prevention policies set, receive
The prevention policies that the local network safeguard is sent, and the prevention policies are added to the prevention policies set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910444437.7A CN110113435B (en) | 2019-05-27 | 2019-05-27 | Method and equipment for cleaning flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910444437.7A CN110113435B (en) | 2019-05-27 | 2019-05-27 | Method and equipment for cleaning flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110113435A true CN110113435A (en) | 2019-08-09 |
CN110113435B CN110113435B (en) | 2022-01-14 |
Family
ID=67492318
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910444437.7A Active CN110113435B (en) | 2019-05-27 | 2019-05-27 | Method and equipment for cleaning flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110113435B (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110457137A (en) * | 2019-08-16 | 2019-11-15 | 杭州安恒信息技术股份有限公司 | Flow analytic method, device, electronic equipment and computer-readable medium |
CN110798404A (en) * | 2019-11-14 | 2020-02-14 | 北京首都在线科技股份有限公司 | Method, device, equipment, storage medium and system for cleaning attack data |
CN111131199A (en) * | 2019-12-11 | 2020-05-08 | 中移(杭州)信息技术有限公司 | Method, device, server and storage medium for controlling traffic cleaning of service attack |
CN111224960A (en) * | 2019-12-27 | 2020-06-02 | 北京天融信网络安全技术有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
CN111385303A (en) * | 2020-03-11 | 2020-07-07 | 江苏亨通工控安全研究院有限公司 | Network security protection system and implementation method |
CN111586018A (en) * | 2020-04-29 | 2020-08-25 | 杭州迪普科技股份有限公司 | Flow cleaning method and device |
CN112073409A (en) * | 2020-09-04 | 2020-12-11 | 杭州安恒信息技术股份有限公司 | Attack flow cleaning method, device, equipment and computer readable storage medium |
CN112615813A (en) * | 2020-11-23 | 2021-04-06 | 杭州朗澈科技有限公司 | Protection method and system for kubernets cluster application |
CN113411351A (en) * | 2021-06-07 | 2021-09-17 | 中国人民解放军空军工程大学 | DDoS attack elastic defense method based on NFV and deep learning |
CN113810348A (en) * | 2020-06-17 | 2021-12-17 | 华为技术有限公司 | Network security detection method, system, equipment and controller |
CN113905058A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | WAF and DDoS high-protection-based protection method, device and medium |
CN114124836A (en) * | 2022-01-25 | 2022-03-01 | 北京天维信通科技有限公司 | Flow cleaning system and cleaning method based on uCPE built-in cleaning software |
CN114124744A (en) * | 2021-11-24 | 2022-03-01 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299724A (en) * | 2008-07-04 | 2008-11-05 | 杭州华三通信技术有限公司 | Method, system and equipment for cleaning traffic |
US9350710B2 (en) * | 2014-06-20 | 2016-05-24 | Zscaler, Inc. | Intelligent, cloud-based global virtual private network systems and methods |
CN107426230A (en) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | Server scheduling method, apparatus, system, storage medium and equipment |
CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
CN109450841A (en) * | 2018-09-03 | 2019-03-08 | 中新网络信息安全股份有限公司 | A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment |
-
2019
- 2019-05-27 CN CN201910444437.7A patent/CN110113435B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101299724A (en) * | 2008-07-04 | 2008-11-05 | 杭州华三通信技术有限公司 | Method, system and equipment for cleaning traffic |
US9350710B2 (en) * | 2014-06-20 | 2016-05-24 | Zscaler, Inc. | Intelligent, cloud-based global virtual private network systems and methods |
CN107426230A (en) * | 2017-08-03 | 2017-12-01 | 上海优刻得信息科技有限公司 | Server scheduling method, apparatus, system, storage medium and equipment |
CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
CN109450841A (en) * | 2018-09-03 | 2019-03-08 | 中新网络信息安全股份有限公司 | A kind of Large Scale DDoS Attack detection and system of defense and defence method based on the on-demand linkage pattern of cloud+end equipment |
Non-Patent Citations (1)
Title |
---|
刘晓锋: "基于告警机制的流量清洗管理系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110457137A (en) * | 2019-08-16 | 2019-11-15 | 杭州安恒信息技术股份有限公司 | Flow analytic method, device, electronic equipment and computer-readable medium |
CN110798404A (en) * | 2019-11-14 | 2020-02-14 | 北京首都在线科技股份有限公司 | Method, device, equipment, storage medium and system for cleaning attack data |
CN111131199A (en) * | 2019-12-11 | 2020-05-08 | 中移(杭州)信息技术有限公司 | Method, device, server and storage medium for controlling traffic cleaning of service attack |
CN111131199B (en) * | 2019-12-11 | 2022-06-03 | 中移(杭州)信息技术有限公司 | Method, device, server and storage medium for controlling traffic cleaning of service attack |
CN111224960A (en) * | 2019-12-27 | 2020-06-02 | 北京天融信网络安全技术有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
CN111224960B (en) * | 2019-12-27 | 2022-07-12 | 北京天融信网络安全技术有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
CN111385303A (en) * | 2020-03-11 | 2020-07-07 | 江苏亨通工控安全研究院有限公司 | Network security protection system and implementation method |
CN111586018B (en) * | 2020-04-29 | 2022-05-31 | 杭州迪普科技股份有限公司 | Flow cleaning method and device |
CN111586018A (en) * | 2020-04-29 | 2020-08-25 | 杭州迪普科技股份有限公司 | Flow cleaning method and device |
CN113810348A (en) * | 2020-06-17 | 2021-12-17 | 华为技术有限公司 | Network security detection method, system, equipment and controller |
CN112073409A (en) * | 2020-09-04 | 2020-12-11 | 杭州安恒信息技术股份有限公司 | Attack flow cleaning method, device, equipment and computer readable storage medium |
CN112615813A (en) * | 2020-11-23 | 2021-04-06 | 杭州朗澈科技有限公司 | Protection method and system for kubernets cluster application |
CN113411351A (en) * | 2021-06-07 | 2021-09-17 | 中国人民解放军空军工程大学 | DDoS attack elastic defense method based on NFV and deep learning |
CN113905058A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | WAF and DDoS high-protection-based protection method, device and medium |
CN114124744A (en) * | 2021-11-24 | 2022-03-01 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
CN114124744B (en) * | 2021-11-24 | 2023-06-02 | 绿盟科技集团股份有限公司 | Flow data display method and device, electronic equipment and storage medium |
CN114124836A (en) * | 2022-01-25 | 2022-03-01 | 北京天维信通科技有限公司 | Flow cleaning system and cleaning method based on uCPE built-in cleaning software |
CN114124836B (en) * | 2022-01-25 | 2022-11-25 | 北京天维信通科技有限公司 | Flow cleaning system and cleaning method based on uCPE built-in cleaning software |
Also Published As
Publication number | Publication date |
---|---|
CN110113435B (en) | 2022-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110113435A (en) | A kind of method and apparatus of flow cleaning | |
Agrawal et al. | Defense mechanisms against DDoS attacks in a cloud computing environment: State-of-the-art and research challenges | |
Liaskos et al. | A novel framework for modeling and mitigating distributed link flooding attacks | |
CN112615818B (en) | SDN-based DDOS attack protection method, device and system | |
Manavi | Defense mechanisms against distributed denial of service attacks: A survey | |
Iyengar et al. | A fuzzy logic based defense mechanism against distributed denial of service attack in cloud computing environment | |
US10326736B2 (en) | Feature-based classification of individual domain queries | |
CN107135187A (en) | Preventing control method, the apparatus and system of network attack | |
CN107426230B (en) | Server scheduling method, apparatus, system, storage medium and equipment | |
CN113992539B (en) | Network security dynamic route hopping method and system | |
Du et al. | DDoS defense deployment with network egress and ingress filtering | |
Chowdhury et al. | EDoS eye: A game theoretic approach to mitigate economic denial of sustainability attack in cloud computing | |
Singh et al. | Prevention mechanism for infrastructure based denial-of-service attack over software defined network | |
Wu et al. | I-CIFA: An improved collusive interest flooding attack in named data networking | |
Chen et al. | Defending against link flooding attacks in internet of things: A bayesian game approach | |
Zhauniarovich et al. | Sorting the garbage: Filtering out DRDoS amplification traffic in ISP networks | |
Bawa et al. | Enhanced mechanism to detect and mitigate economic denial of sustainability (EDoS) attack in cloud computing environments | |
CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
Khan et al. | Real-time cross-layer design for a large-scale flood detection and attack trace-back mechanism in IEEE 802.11 wireless mesh networks | |
CN106817268B (en) | DDOS attack detection method and system | |
Dolev et al. | Trawling traffic under attack overcoming ddos attacks by target-controlled traffic filtering | |
Khirwadkar | Defense against network attacks using game theory | |
Maswood et al. | A sliding window based monitoring scheme to detect and prevent ddos attack in data center networks in a dynamic traffic environment | |
Kalwar et al. | TVis: A Light-weight Traffic Visualization System for DDoS Detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |